If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Questions about evading AV software with Python

This blog post mentions some ways of evading AV software, but I don't understand what they mean by wrapping an executable in a python script and inserting it into a good executable. Is that any different from metasploit's templates you can use for payloads?

Also what do they mean by exporting it to a Python Array? You can't run Poison Ivy from a Python array.

The evasion technique is pretty simple, wrap the executable into a python script (you can also use perl and Ruby) then insert it into a good executable or export to a new one.

Poison Ivy - Straight export to Python Array. Pretty sad that it worked actually. This is where I had hoped to create some alerts that I would have had to suppress.

LHYX1 has a great Python script for evading AV, is there anything else you can do with Python to evade AV?

Re: Questions about evading AV software with Python

From what I understand, virus software has basically white listed anything that is python. I think that because just like java, they can't tell one python from the other to determine if it is malicious or not. They would have to ban all java and python.

So the theory is that by putting shellcode in the python script, you can evade anti-virus. You can go one step further and use py-installer and create an executable from your python script so that it can be run on the victim's computer. (without python installed)

Yes you can run run poison Ivy as a python array. I have not tried it, but that was the reason behind it.

Exporting to a python array is simply exporting a bunch of code that you can copy and paste into your python script. You will need a python script that can load shell code.

So your task if you choose to accept it:

1. export shell code from poison ivy
2. find a python script that can run the python shell code generated from poison ivy to connect back to poison ivy command center.
3. get the above working standalone
4. use Py-Installer to create an executable from the above.
5. Automate all the above using a python script
And of course report back here on your progress so that we can help and learn from your experiences.http://www.backtrack-linux.org/forum...ilies/wink.png

Originally Posted by Cooker

This blog post mentions some ways of evading AV software, but I don't understand what they mean by wrapping an executable in a python script and inserting it into a good executable. Is that any different from metasploit's templates you can use for payloads?

Also what do they mean by exporting it to a Python Array? You can't run Poison Ivy from a Python array.

LHYX1 has a great Python script for evading AV, is there anything else you can do with Python to evade AV?